Title: CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability

Severity: HIGH

Description:

CUPS, Common UNIX Printing System, is a widely used set of printing utilities for UNIX-based systems.

CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.

Specifically, the issue stems from a bounds-checking error in the Hewlett-Packard Graphics Language filter when parsing pen width and pen color opcodes.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

The issue affects versions prior to CUPS 1.3.9.

NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.

Affected Products:

ALT Linux ALT Linux Compact 2.3.0
ALT Linux ALT Linux Junior 2.3.0
Apple Mac OS X 10.4.0
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.9
Apple Mac OS X 10.5
Apple Mac OS X 10.5.1
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.3
Apple Mac OS X 10.5.4
Apple Mac OS X 10.5.5
Apple Mac OS X Server 10.4.0
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.5
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.3
Apple Mac OS X Server 10.5.4
Apple Mac OS X Server 10.5.5
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1.0
Caldera OpenLinux Workstation 3.1.1
Conectiva Linux 6.0.0
Conectiva Linux 7.0.0
Conectiva Linux 8.0.0
Conectiva Linux 9.0.0
Conectiva Linux Enterprise Edition 1.0.0
Debian Linux 2.2.0
Debian Linux 2.3.0
Debian Linux 3.0.0
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
Debian Linux 4.0
Debian Linux 4.0 alpha
Debian Linux 4.0 amd64
Debian Linux 4.0 arm
Debian Linux 4.0 hppa
Debian Linux 4.0 ia-32
Debian Linux 4.0 ia-64
Debian Linux 4.0 m68k
Debian Linux 4.0 mips
Debian Linux 4.0 mipsel
Debian Linux 4.0 powerpc
Debian Linux 4.0 s/390
Debian Linux 4.0 sparc
Easy Software Products CUPS 1.0.4
Easy Software Products CUPS 1.0.4 -8
Easy Software Products CUPS 1.1.1
Easy Software Products CUPS 1.1.10
Easy Software Products CUPS 1.1.12
Easy Software Products CUPS 1.1.13
Easy Software Products CUPS 1.1.14
Easy Software Products CUPS 1.1.15
Easy Software Products CUPS 1.1.16
Easy Software Products CUPS 1.1.17
Easy Software Products CUPS 1.1.18
Easy Software Products CUPS 1.1.19
Easy Software Products CUPS 1.1.19 rc5
Easy Software Products CUPS 1.1.19 rc5
Easy Software Products CUPS 1.1.20
Easy Software Products CUPS 1.1.21
Easy Software Products CUPS 1.1.22
Easy Software Products CUPS 1.1.22 rc1
Easy Software Products CUPS 1.1.23
Easy Software Products CUPS 1.1.23 rc1
Easy Software Products CUPS 1.1.4
Easy Software Products CUPS 1.1.4 -2
Easy Software Products CUPS 1.1.4 -3
Easy Software Products CUPS 1.1.4 -5
Easy Software Products CUPS 1.1.6
Easy Software Products CUPS 1.1.7
Easy Software Products CUPS 1.2.10
Easy Software Products CUPS 1.2.12
Easy Software Products CUPS 1.2.2
Easy Software Products CUPS 1.2.4
Easy Software Products CUPS 1.2.8
Easy Software Products CUPS 1.2.9
Easy Software Products CUPS 1.3.2
Easy Software Products CUPS 1.3.3
Easy Software Products CUPS 1.3.5
Easy Software Products CUPS 1.3.6
Easy Software Products CUPS 1.3.7
Gentoo Linux
Gentoo Linux 1.4.0
Gentoo Linux 1.4.0 _rc1
Gentoo Linux 1.4.0 _rc2
Gentoo Linux 1.4.0 _rc3
Linux kernel 2.4.19
Linux kernel 2.4.21
Linux kernel 2.6.5
MandrakeSoft Corporate Server 2.1.0
MandrakeSoft Corporate Server 2.1.0 x86_64
MandrakeSoft Corporate Server 3.0.0
MandrakeSoft Corporate Server 3.0.0 x86_64
MandrakeSoft Corporate Server 4.0
MandrakeSoft Corporate Server 4.0.0 x86_64
MandrakeSoft Linux Mandrake 10.0.0
MandrakeSoft Linux Mandrake 10.0.0 amd64
MandrakeSoft Linux Mandrake 10.1.0
MandrakeSoft Linux Mandrake 10.1.0 x86_64
MandrakeSoft Linux Mandrake 2007.1
MandrakeSoft Linux Mandrake 2007.1 x86_64
MandrakeSoft Linux Mandrake 2008.0
MandrakeSoft Linux Mandrake 2008.0 x86_64
MandrakeSoft Linux Mandrake 2008.1
MandrakeSoft Linux Mandrake 2008.1 x86_64
MandrakeSoft Linux Mandrake 2009.0
MandrakeSoft Linux Mandrake 2009.0 x86_64
MandrakeSoft Linux Mandrake 7.2.0
MandrakeSoft Linux Mandrake 8.0.0
MandrakeSoft Linux Mandrake 8.0.0 ppc
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Linux Mandrake 8.2.0
MandrakeSoft Linux Mandrake 8.2.0 ppc
MandrakeSoft Linux Mandrake 9.0.0
MandrakeSoft Linux Mandrake 9.2.0
MandrakeSoft Linux Mandrake 9.2.0 amd64
MandrakeSoft Multi Network Firewall 2.0.0
MandrakeSoft apcupsd 2006.0
Pardus Linux 2008
RedHat Desktop 3.0.0
RedHat Desktop 4.0.0
RedHat Enterprise Linux 5 server
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4
RedHat Fedora 8
RedHat Fedora 9
RedHat PowerTools 7.0.0
S.u.S.E. Linux 7.1.0 alpha
S.u.S.E. Linux 7.1.0 ppc
S.u.S.E. Linux 7.1.0 sparc
S.u.S.E. Linux 7.1.0 x86
S.u.S.E. Linux 7.2.0 i386
S.u.S.E. Linux 7.3.0 i386
S.u.S.E. Linux 7.3.0 ppc
S.u.S.E. Linux 7.3.0 sparc
S.u.S.E. Linux 8.0.0
S.u.S.E. Linux 8.0.0 i386
S.u.S.E. Linux 8.1.0
S.u.S.E. Linux Enterprise Server 8
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Personal 8.2.0
S.u.S.E. Linux Personal 9.1.0
S.u.S.E. Novell Linux Desktop 9
S.u.S.E. Novell Linux POS 9
S.u.S.E. Open-Enterprise-Server
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP2
S.u.S.E. SUSE Linux Enterprise Server 10 SP1
S.u.S.E. SUSE Linux Enterprise Server 10 SP2
S.u.S.E. openSUSE 10.2
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 11.0
Turbolinux Appliance Server 1.0.0 Hosting Edition
Turbolinux Appliance Server 1.0.0 Workgroup Edition
Turbolinux Appliance Server Hosting Edition 1.0.0
Turbolinux Appliance Server Workgroup Edition 1.0.0
Turbolinux Home
Turbolinux Turbolinux Desktop 10.0.0
Turbolinux Turbolinux Server 8.0.0
Turbolinux Turbolinux Workstation 8.0.0
Ubuntu Ubuntu Linux 4.1.0 ia32
Ubuntu Ubuntu Linux 4.1.0 ia64
Ubuntu Ubuntu Linux 4.1.0 ppc
Ubuntu Ubuntu Linux 6.06 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.10 amd64
Ubuntu Ubuntu Linux 7.10 i386
Ubuntu Ubuntu Linux 7.10 lpia
Ubuntu Ubuntu Linux 7.10 powerpc
Ubuntu Ubuntu Linux 7.10 sparc
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS sparc

References:

Apple: About Security Update 2008-007
Easy Software Products: Common UNIX Printing System 1.3.9
Apple: Mac OS X Home Page
Easy Software Products: STR #2911
ZDI: ZDI-08-067 - Apple CUPS 1.3.7 (HP-GL/2 filter) Remote Code Execution Vulnerabili

J-Security Center

Title: CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability

Severity: HIGH

Description:

Affected Products:

References: